Messages

I have two OPNsense virtual appliances - one is running in Azure, the other one on prem (ESXi). Both appliances are able to create and manage policy based IPsec connections, an attempt to establisch a route based IPsec connection fails, because there is on both sides no possibilty available to create a gateway with IPsec interface (only LAN and WAN are offered). I´ve configured the following on both devices:
- Create phase 1 entry, "Install policy" unchecked
- Create phase 2 entry with two consecutive IP addresses for local and remote site
- Activating the IPsec connection (was successfully established)
- Creating a single gateway - no IPsec interface available, so there is not possible to route the traffic
- Changing the local and remote network to /30 did not help - still no IPsec interface available

Internet search brought no proper solutions for this issue - any idea?

Thanks and regards, MK

I have found the reason for this problem, I had transposed digits in the firewall rule for incoming IPsec traffic. The rest was ok - now the traffic is passing the tunnel in both direction

I´ve configured on the WAN interface the standard three rules - 500 (ISAKMP) 4500 (NAT-T), ESP and the tunnel is comming up properly. The behaviour is quite strange - the traffic can pass the tunnel in direction from OPNsense to the external firewall (Sophos UTM). From Sophos UTM towards OPNsense the traffic is not able not pass the tunnel. I can neither access the WebGUI nor ressources behind the OPNsense.

I'm currently testing an Azure environment with an OPNsense firewall for external communication. The OPNsense was deployed by https://github.com/dmauser/opnazure/ with two network interfaces. The initial configuration with Let's Encrypt WebGUI cerificate was successfull and the appliance is accessible by external interface and WebGUI. After creating a site2site IPsec tunnel between the OPNsense and another external firewall the tunnel is successfully comming up, but it's not possible to access internal ressources behind the OPnsense. We are running a lot of site2site IPsec connections on virtual OPNsense appliances (Hyper-V, ESX) without any problems and a similar Azure environment with Sophos XG is working properly. Any ideas about the reason for this issue?

Thanks and regards,Mike

Wir haben versucht eine CARP-Konfiguration mit zwei OPNsense V20 unter Hyper-V 2016 einzurichten, indem wir eine zweite OPNsense aufgesetzt, die Konfiguration gemäß Anleitung durchgeführt und beide Knoten danach neu gestartet hatten. Danach kam es zu massiver Problemen beim Internet-Zugriff - auch beim Zugriff auf das ISP-Gateway von anderen Geräten aus kam es zu Paketverlusten und die Antwortzeiten waren z.T. extrem hoch.

Die Hyper-V Server sind über NIC-Teaming mit dem Switch verbunden und die Kommunikation mit diesem erfolgt über tagged VLAN's. Hat jemand eine derartige Konfiguration am Laufen?